by Dan Rua…just a VC, living vicariously thru entrepreneurs…

FlexiSpy, ShopKick, Roving Bugs and a New Breed of Spyware?

Given all the coverage of iPhone, Android, Blackberry and Windows Mobile apps lately, I’m surprised I’ve seen relatively little discussion of the new privacy issues some apps present — particularly when they leverage phone resources such as the microphone. Microphone spying may have been a small issue when many desktops didn’t have microphones or microphones were stuck wherever the computer sat, but the ubiquity and proximity of smartphone microphones opens a new “roving bug” risk that extends beyond the phone owner to anyone nearby.
[cointent_lockedcontent]Background

A bug does not have to be a device specifically designed for the purpose of eavesdropping. For instance, with the right equipment, it is possible to remotely activate the microphone of cellular phones, even when a call is not being made, to listen to conversations in the vicinity of the phone.

As you can see, cellular phone bugging is a natural extension of “bugs” or “wires”, but the references for that article were all before the mobile app explosion. In 2006, Declan McCollagh covered the FBI’s use of cell phone “roving bugs” for legal wiretapping, as did computer security expert Bruce Schneier. The Judge in that case suggested that failed alternatives made a difference in the legality of roving bugs:

The FBI’s “applications made a sufficient case for electronic surveillance,” Kaplan wrote. “They indicated that alternative methods of investigation either had failed or were unlikely to produce results, in part because the subjects deliberately avoided government surveillance.”

Most references I saw to this topic harkened back to similar police usage. However, there are also implications unrelated to police usage — specifically wiretapping and eavesdropping laws for citizens. The Reporters Committee for Freedom of the Press provides a nice guide on recording conversations. Some highlights from that guide include:

Thirty-eight states and the District of Columbia permit individuals to record conversations to which they are a party without informing the other parties that they are doing so. These laws are referred to as “one-party consent” statutes, and as long as you are a party to the conversation, it is legal for you to record it….

Twelve states require, under most circumstances, the consent of all parties to a conversation. Those jurisdictions are California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania and Washington. Be aware that you will sometimes hear these referred to inaccurately as “two-party consent” laws. If there are more than two people involved in the conversation, all must consent to the taping….

Regardless of the state, it is almost always illegal to record a conversation to which you are not a party, do not have consent to tape, and could not naturally overhear….

Legality

Let’s now apply these standards to some of the apps starting to appear like FlexiSpy and ShopKick — if you know other apps listening via smartphone microphones, please share in the comments. FlexiSpy is pretty transparent about the spying of their app, admitting that it “secretly records events that happen on the phone and delivers this information to a web account, where you can view these reports 24×7 from any Internet enabled computer or mobile phone. FlexiSPY PRO-X also allows you to listen to the surroundings of the target mobile , listen to the phone conversation and to know the location of the device.” In fact, they provide this helpful video:

ShopKick, on the other hand, is pretty quiet about the microphone activation they do, when they do it, how long they eavesdrop and exactly what they promise to do with anything their software hears. Do they listen during calls, in confidential meetings, in the bedroom? The most concrete reference I found was under Android Settings -> Applications -> Manage Applications -> shopkick -> Permissions -> Hardware controls: record audio, take pictures. I couldn’t find any reference to their handling of recordings in their Terms of Service or Privacy Policy.

Note, I don’t see anything suggesting these apps work like song-naming app Shazam, that only listens when a user specifically asks it to identify songs it hears. Roving spyware like FlexiSpy, ShopKick and others appear to record via microphone without that phone’s owner tapping a button to record. If we assume that these applications record sounds nearby, then they inevitably hear the phone’s owner, nearby friends and anyone close enough for the smartphone’s microphone to receive. It seems like such wholesale listening would at least conflict with laws that make it “illegal to record a conversation to which you are not a party”, and likely one-party consent statutes as well.

Privacy

Beyond legality, what do these apps mean for the ongoing balance of privacy and functionality? Do we need to trade off always-on microphone privacy to get what we want from mobile apps. With multiple signal processors in these smartphones, such as wifi, cellular and bluetooth, are there other ways to accomplish the same functional goals without roving microphones? If not, I’ve got plenty of ideas on how to leverage those recordings…

[Disclosure: I have investments in multiple companies with mobile apps, including Grooveshark and IZEA, but I don’t believe any of them leverage microphone eavesdropping.]
[/cointent_lockedcontent]

Uh, Shopkick has this little thing called walkin’s, which give you points. They work by your phone listening for a special audio frequency played by shopkick devices installed at certain stores. For the shopkick app to listen, it needs the record audio permission (there is no simple “”listen but don’t record audio”” permission. Makes no sense from a programming standpoint, and any app that needs to hear audio requires that permission). It’s a core feature of the app, on both android and ios. Have you even used the app?

@stephanie: I agree, no need for government, just transparent developers on exactly what/when they record, how those recordings are used, and what is done with them after use — resulting in more informed consumers.

@cde: I understand that recording audio around someone’s smartphone is, in your words, a “core feature of the app”. That’s exactly why it was included in this article. However, they say nothing in their TOS, Privacy Policy or marketing materials about the details of those recordings. For example, do those recordings meet the requirements of state and federal eavesdropping laws? If so, how? If not, how far does the legal risk extend; just the app developer, to the merchant getting walkins, to the user who’s phone is recording conversations? I’m not sure the laws include a “there is no simple ‘listen but don’t record audio’ permission” exception.

Interesting ideas, but why take such a cynical view? In my experience with the Shopkick app, there is almost no chance that it can be uploading audio clips to a server somewhere. A bandwidth monitoring app can show you the miniscule amount of data that SK is uploading when it is running, and that once the ShopKick app is no longer running, it is not transferring any data.

Trackbacks / Pingbacks

[…] of scary) can still have an actual function. Shopping rewards app ShopKick, for example, appears to turn on your microphone and record audio without you knowing about it. If you installed this shopping rewards app, you probably didn’t notice or think much about […]

[…] of scary) can still have an actual function. Shopping rewards app ShopKick, for example, appears to turn on your microphone and record audio without you knowing about it. If you installed this shopping rewards app, you probably didn’t notice or think much about […]

About

Thanks for stopping by. In case we haven't met before, I'm Dan Rua, Managing Partner of Inflexion Partners, an early-stage venture capital fund based in Florida and focused on the Southeast US. Prior to Inflexion I was a partner with Draper Atlantic, DFJ's first east coast fund based in Northern Virginia. Prior to that I co-founded an email software company and was an engineer with IBM's Networking Software Labs in RTP, NC.

This blog is for sharing stories and discussing entrepreneurs, venture capital, technology, and Florida -- particularly when I can provide perspective unique from the typical Boston (B) or Silicon Valley (S) view. Inflexion is my third fund and all my funds have focused on building world-changing companies in regions outside the BS...